How to access a DSL modem through pfSense?

edmund

I'm running the current 1.2.3-RELEASE on nanobsd via an ALIX box and using an AT&T Westel DSL modem configured in pass-through mode. Thus pfSense configures the WAN interface as PPPoE and handles the log in. My LAN side uses addresses in the range 192.168.3.* provided via DHCP while the WAN IP on the pfSense box is pulled from ATT. Packet flow is thus:

DSL phone line <–> modem <--> 68.155.82.67 (pfSense WAN) <--> ALIX <--> 192.168.3. (LAN)*

This has been working well but now the DSL connection is dropping packets and I need to access the Westel modem directly through pfSense to run diagnostics - the modem supports an HTTP port via 192.168.1.254 - so I need to be able to access this address from the pfSense LAN side.

What do I need to do to access 192.168.1.254 on the WAN side from the LAN side of pfSense?

I've tried unchecking "Block private networks" on the WAN interface and added a rule to allow 192.168.1.254 in from the WAN to the LAN subnet (LAN is always allowed out) but nothing seems to work. What am I missing?

edmund

Running tracert shows that the packets from inside the LAN go straight through pfSense to the DSL gateway (68.152.185.218) - see attached png file.

Unplugging the DSL modem from the pfSense WAN connection and plugging a laptop directly into the modem pulls an address for the laptop via DHCP from the modem and displays the modem diagnostics page at 192.168.1.254 so I know that port 80 is accessible.

untitled.PNG_thumb

GruensFroeschli

http://doc.pfsense.com/index.php/How_can_i_access_my_PPPoE_Modem_on_WAN

TreeTopFlyer

So by following the directions in that link I can access my DSL modem that's in Bridge mode? ???

chpalmer

What does your modem documentation say about the modem gui and bridge mode?

TreeTopFlyer

chpalmer, if you were talking to me my docs say you can't access the web gui in bridged mode. To me it looks like the OP has his modem in "bridge" mode due to the WAN interface on the pfSense box having a public IP. But I'm not sure what "pass through" mode is . . .

bmeeks

@GruensFroeschli:

http://doc.pfsense.com/index.php/How_can_i_access_my_PPPoE_Modem_on_WAN

I found a simpler way (for me at least) that works great. I also have AT&T DSL service. I am currently using a Netopia 2240 modem, but I also have a Westell for a spare and the setup works with it as well.

The number one prerequisite is that your LAN subnet must be different than your DSL modem's LAN side subnet. For example, my LAN is 192.168.10.0/24 while my DSL modem's LAN interface is 192.168.1.0/24. I'm using the modem in bridge pass-through mode and pfSense is doing the PPPoE setup.

Open a shell session on your pfSense box and identify your WAN side network interface. For me it is "xl1". My LAN side is "xl0".
Issue a command like the one below to add a second alias IP address to your WAN interface (the one used for the PPPoE connection). Replace "xl1" and the IP address and netmask with the appropriate values for your setup. The modem's LAN-side IP address in my setup is 192.168.1.1, so I give my pfSense firewall's WAN interface (the one that is connected to the modem's LAN interface) the address 192.168.1.2.

ifconfig xl1 inet 192.168.1.2 netmask 255.255.255.0 alias

Next, go into the pfSense NAT configuration in the web GUI and create an Outbound NAT rule as shown below. The order is important! The NAT rule for the DSL modem must come before the normal Internet outbound NAT rule.

That should do it. You can now access your DSL modem's web interface from any client on your LAN.

![Outbound NAT Rules.png_thumb](/public/imported_attachments/1/Outbound NAT Rules.png_thumb)
![Outbound NAT Rules.png](/public/imported_attachments/1/Outbound NAT Rules.png)

zass

well thats does it, mine get error to fetch redir.tgz since i m using 1.2.3 rc1 which

is freebsd 7.1 , confuse at first when there is no NAT address for me, when i set

virtual ip , everything goes well , thank you very much ! ;D

Rezin

@bmeeks:

…

I do it almost the exact same way as you, except instead of running the ifconfig command manually, I just add it to the config file so that it happens at startup.

 <pfsense>...
	 <system>...
		<shellcmd>ifconfig em0 inet 192.168.1.1/24 alias</shellcmd>
		...</system> 
	...</pfsense>

Edit: Oops, yeah, forgot about the virtual IP.

![pfSense NAT.png](/public/imported_attachments/1/pfSense NAT.png)
![pfSense NAT.png_thumb](/public/imported_attachments/1/pfSense NAT.png_thumb)
![pfSense VIP.png](/public/imported_attachments/1/pfSense VIP.png)
![pfSense VIP.png_thumb](/public/imported_attachments/1/pfSense VIP.png_thumb)

XIII

why isnt this a problem with cable modems?

bmeeks

@Rezin:

I do it almost the exact same way as you, except instead of running the ifconfig command manually, I just add it to the config file so that it happens at startup.

Yeah, I forgot to include that I also put the alias configuration in the config.xml script the same as you so it happens with every restart.

bartgrefte

@XIII:

why isnt this a problem with cable modems?

I think it depends on the make and model of the modem, since I've got a cable-modem (Arris TM702B) with a webinterface that cannot be accessed through a router. But that is because the webinterface is disabled when the modem can go online.

I have heard of a solution though. When that modem can't go online, the webinterface can be reached at 192.168.100.1.
Some people have configured there router's WAN interface with a second (virtual) IP-address in the range of the modem's (internal) IP-address, that seems to make the webinterface accessible while the modem is online, although I haven't tried it with mine.

XIII

i can always access 192.168.100.1, no matter what cable modem or Internet status.
maybe because the cable modem gives pf an ip on that subnet at first??

GruensFroeschli

A cable modem is something different.
With a cable modem you actually have ethernet on the WAN.

With ADSL with PPPoE on the pfSense, you have PPPoE frames on the WAN.
This is why these workarounds are needed, to force standard ethernet frames to the WAN for the IP of the modem.

eihcet

@bmeeks:

@GruensFroeschli:

http://doc.pfsense.com/index.php/How_can_i_access_my_PPPoE_Modem_on_WAN

I found a simpler way (for me at least) that works great. I also have AT&T DSL service. I am currently using a Netopia 2240 modem, but I also have a Westell for a spare and the setup works with it as well.

The number one prerequisite is that your LAN subnet must be different than your DSL modem's LAN side subnet. For example, my LAN is 192.168.10.0/24 while my DSL modem's LAN interface is 192.168.1.0/24. I'm using the modem in bridge pass-through mode and pfSense is doing the PPPoE setup.

I've tried both methods and neither seems to be working. I'm using an Alix 2D3 board and PFSense 1.2.3. The LAN is Vr0 and WAN is VR1. I entered the command as above, using my WAN and the IP for the modem's network:
ifconfig vr1 inet 192.168.4.2 netmask 255.255.255.0 alias

I then go into the firewall nat rules and set the outbound rule as per the picture but there is no option to set the "Nat Address". A little investigation and I believe that I should be using a Firewall "virtual IP" but I'm not sure what settings are correct for that (Proxy Arp looks correct from a later post). Once I create that virtual IP I can then complete the Outbound Nat Rule, but, I get no response trying to access the modem config on IP 192.168.4.1 and if I use 192.168.4.2 I get a login prompt and it takes me to PFSense's WebGUI on the 192.168.4.2 address.

I know the modem can be accessed while in bridge mode as I used to do it just fine with DDWRT. Further, It's also a Netopia which is mentioned in the alternative how-to above.

Lastly, I've also tried the WIKI's pkg-add method and using redir and that doesn't seem to work either. I did the RC conf_mount_rw before following the steps in the wiki (as I'm on nanoBSD). Again, I get no response trying to access the modem @ http://192.168.4.x:8989 (where x= 2 or 1). I gave up and rebooted pfsesnse before trying this alternative method.

I'd rather use the outbound nat method described above if I can make it work. I'm pretty sure it's something to do with the virtual IP assignment settings or the outbound nat rule, I'm not sure if I use Proxy ARP, Carp, or Other. I'm running through the iterations with little luck. Any tips are appreciated.

Here's a summary:

Netopia on 192.168.4.1 <-> VR1 (IFConfig = 192.168.4.2) <-> VR0 (192.168.0.x)

Thanks!

Rezin

How are you doing the NAT rule?

These screenshots might help a little.

LAN = 192.168.10.0/24
WAN = PPPoE and an alias IP of 192.168.1.1 (done via <shellcmd>as in my post above).
Billion modem = 192.168.1.254

![pfSense Bridged - 1.png](/public/imported_attachments/1/pfSense Bridged - 1.png)
![pfSense Bridged - 1.png_thumb](/public/imported_attachments/1/pfSense Bridged - 1.png_thumb)
![pfSense Bridged - 2.png](/public/imported_attachments/1/pfSense Bridged - 2.png)
![pfSense Bridged - 2.png_thumb](/public/imported_attachments/1/pfSense Bridged - 2.png_thumb)</shellcmd>

eihcet

I'm going to double check my settings per your updated screenshots and post back in a moment, but I'm pretty certain I had all that correct. I read the Monowall settings here: http://wiki.m0n0.ch/wikka.php?wakka=AccessingModemOutsideFirewall&show_comments=1 and for PPPoE it recommends creating a second 'virtual' lan interface via a manual edit of config.xml. Just curious if that step is missing from the instructions here (perhaps it's supposed to be obvious)?

Lastly, will having dual wan capability complicate this setup? Right now I'm using a backup connection on OPT1 (WAN2) and trying to access the modem config on WAN1 (VR1).

eihcet

here's my steps:

ifconfig vr1 inet 192.168.4.2/24 alias
Images:

With the following set, I can access 192.168.4.2 and I'll get a PFSense webgui page.

VirtualIP.png_thumb

FirewallNat_OB_Overview.png_thumb

FirewallNat_MainRule.png_thumb

Rezin

@eihcet:

I read the Monowall settings here: http://wiki.m0n0.ch/wikka.php?wakka=AccessingModemOutsideFirewall&show_comments=1 and for PPPoE it recommends creating a second 'virtual' lan interface via a manual edit of config.xml. Just curious if that step is missing from the instructions here (perhaps it's supposed to be obvious)?

What they're saying to do there is what you're doing manually in step #1 - add the IP alias to the WAN NIC. By putting that <shellcmd>line in your config.xml file, it will be run when the pfSense machine boots (so you don't have to do it manually).

You can either backup the pfSense config, edit the .xml file and add in that line, and restore that config… or modify the config.xml file directly (SSH client or keyboard attached to the box).

I do it this way (see my first post in this thread).

Edit 2: Sorry... just re-read what you've asked and my response isn't relevant. Just gone 2am here.. that's my excuse. ;D I'll read up on that later today.

@eihcet:

Lastly, will having dual wan capability complicate this setup? Right now I'm using a backup connection on OPT1 (WAN2) and trying to access the modem config on WAN1 (VR1).

Not really sure as I've never looked into dual wan much, but it does sound like there could be a problem here. Are both OPT1 and VR1 connected to the modem you wish to access? You may have to setup the virtual IP (edit: and NAT rule) for OPT1, and add the IP alias to the OPT1 NIC instead of VR1.</shellcmd>

eihcet

No, Opt1 is connected to a different device. vr1 / WAN = the netopia modem.

Re: the monowall link, the section mid-way that talks to PPoE connections, where they talk about modifying the interfaces section and adding an OPTn device was the one I was asking about. Earlier in this thread there is talk about the ifconfig command and running it manually or putting that in the config.xml which makes sense for automation–if I get it working I'll add that to the xml file.